[Oisf-users] PCRE question

[kay]

I have noticed /H modifier. I've never heard about such modifier.

"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"

2012/7/11 Brandon Ganem <brandonganem+oisf at gmail.com>:
> Hi all,
> I'm trying to use signatures with PCRE in them. Looking at my suricata.log
> file I see many entries with the following:
>
>
> [18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
> (DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study failed :
> unknown or incorrect option bit(s) set
> [18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error> (DetectLoadSigFile)
> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert
> http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM AirOS .css
> Worm Outbound Propagation Sweep"; flow:established,to_server;
> content:"/admin.cgi/.gif"; http_uri; pcre:"/Host\x3a
> ([0-9]{1,3}\.){3}[0-9]{1,3}/H";
> reference:url,seclists.org/fulldisclosure/2011/Dec/419;
> reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/;
> classtype:trojan-activity; sid:2014041; rev:5;)" from file
> /etc/suricata/rules/worm.rules at line 152
>
> I've installed pcre with jit enabled as per:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT
> I also referenced:
> http://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/
>
> Note, As far as I can tell this happens on every sig with PCRE in it. Hard
> to tell. Am I just doing something wrong?
> I'm on the latest GIT, along with pcre 8.31 (I was on 8.20 RC1 as per the
> guide, but I upgraded in an attempt to fix this)
>
> Thanks!
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>